The ICO has published new guidance on how organisations should handle data subject access requests (DSARs), aiming to simplify and clarify the process.
The publication of the guidance follows the ICO’s December 2019 consultation. The ICO has said it also plans to publish a more focused version of the guidance for small businesses.
Responding to DSARs has become an increasingly costly and cumbersome requirement for organisations. And while the guidance does not go as far as some respondents to the consultation hoped to make things easier for data controllers, it does include welcome changes. The key developments are the right to ‘stop the clock’ when seeking clarifications, additional guidance on identifying ‘manifestly excessive’ or ‘manifestly unfounded’ requests, and guidance on fees for dealing with excessive or unfounded requests
The guidance gives organisations the right to ‘stop the clock’ on the response deadline in some situations. If an organisation holds a large amount of information and it is not clear what information an individual is requesting, or where it is genuinely unclear whether an individual is making a DSAR, the organisation can seek clarification. The guidance says the deadline for responding extends for the same amount of time as the requester takes to provide the clarification.
This helps organisations avoid the double jeopardy of having an approaching deadline but not enough information to provide a meaningful, focused reply. However, if an individual responds and either repeats their original request or refuses to provide any additional information, an organisation still has an obligation to act diligently, and should make reasonable searches based on the information provided, to reply. But if an individual does not reply at all an organisation can ‘close’ the DSAR without replying further after a reasonable period of time.
Organisations have always been able to reject ‘manifestly’ excessive or unfounded DSARs. The new guidance gives more direction on when a DSAR falls into those categories.
In both cases the starting point is that an organisation must consider a request on its own merits, and avoid a blanket approach.
The guidance gives examples of manifestly unfounded requests, including those which show no intention of exercising the right (e.g. requesting payment to withdraw a request), those which are malicious in their intent or harassing (e.g. making unsubstantiated allegations, targeting an employee, or bombarding different parts of an organisation with requests to cause disruption).
To decide if a request is manifestly excessive an organisation needs to decide whether it is clearly or obviously unreasonable. It should base that assessment on whether the DSAR is proportionate when balanced with the burden or costs involved. This assessment should take into account:
The guidance points out that a DSAR is not necessarily excessive just because a requester asks for a large amount of information, and that an organisation should consider asking the requester for more information to help it locate relevant information, and ways of making reasonable searches for information, if it considers a request excessive.
The guidance is clear that organisations should not have a blanket policy for categorising DSARs as manifestly excessive, and should have strong justifications for making that decision, that it can provide to the requester and the ICO.
The guidance says that instead of refusing to reply to a manifestly excessive or unfounded request, an organisation can charge a reasonable fee for replying. Those costs can include:
There is no regulatory guidance on the limits to ‘reasonable’ fees, but organisations should ensure they are proportionate and consistent.
Importantly, if an organisation elects to charge a fee, it does not have to reply to the DSAR until it has received the fee.
The guidance includes other useful points for organisations handling DSARs:
Although the guidance is not a golden bullet for the increasing burden for organisations of replying to DSARs, it includes helpful changes and clarifications that should make things simpler and (in some cases) less costly. The key for organisations in taking advantage of the updated guidance will be identifying and applying a consistent approach to DSARs, whilst always looking at the context of each DSAR individually.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Beyond BrexitRead more
Beyond Brexit: services trackerRead more
Claire Graham joins board of North West Fraud ForumRead more
Insolvency Practitioners, GDPR & BrexitRead more
Transforming the leisure sectorRead more
Evolving citiesRead more
How IPs should manage personal data deletionRead more
Lessons from the ICO's reduced fines for BA and MarriottRead more
The impact of flexible working on our towns and citiesRead more
Helping you navigate your business through the risks and opportunities that Brexit will bring.Read more
The way people shop is constantly evolving, from the growth of online and the changing use of stores...Read more
The widespread disruption and closure of businesses caused by the Covid-19 pandemic and the subsequent national and local lockdowns has brought into sharp focus the question of available insurance cover for losses under...Read more
Watch our video series for information on the legal issues that are affecting the real estate sector. Each...Read more
The pandemic has had a deep and long-lasting effect on the leisure, food & drink sector, forcing operators to embrace new ways of attracting and servicing customers.Read more
The pandemic has forced the majority of the workforce into a world of remote working. As a result, our cities are evolving.Read more
Our countdown to Brexit and beyond podcast series looks at the impact for businesses on both sides of the pond of any free trade agreement between the UK and Europe and the UK and the US. ThisRead more
There's a growing demand for retailers to do more to attract the Purple Pound – the collective spending power of disabled shoppers, estimated to be worth around £274bn. We look at the opportunities, the legal issues and...Read more
Green finance is gaining speed, driven by global climate change pressures and the recognition of the vital role which sustainability plays in a resilient financial services sector.Read more
Data protection law is changing rapidly and mistakes can lead to significant financial penalties and reputational damage. We can help you secure your data and use it to its maximum potential.Read more